Join millions of investors on Stash

Investing, simplified

Start today with as little as $5

The Equifax Hack: What You Need to Know

Cybercriminals stole the personal details of 143 million consumers from Equifax, one of the three credit reporting bureaus in the U.S.

Criminals can use that information to set up fraudulent credit accounts in your name, and to commit other crimes.

If your identity has been stolen, there are steps you can take to recover, including contacting local authorities.

4 min read

News no one wants to wake up to: You may be one of millions of Americans now at risk for identity theft.

On Thursday the credit reporting agency Equifax said it had been the target of a massive cyber attack from mid-May through July.

What is Equifax?

Equifax is one of three credit reporting agencies, or bureaus. The others are Experian and Transunion. Credit reporting agencies collect data on consumers related to all aspects of their financial lives, including bank and credit card account information, mortgages, and bankruptcies. They file this information in something called a credit report.

Credit reporting agencies also create something called a credit score, ranging from 300 to 850; the latter is considered perfect credit. Credit scores affect the cost of loans, and all consumers who have applied for credit have a credit score.

What happened?

Equifax said cybercriminals gained access to its network by exploiting a website vulnerability, making off with the personal information for 143 million U.S. consumers ( nearly half the country’s population). That information included names, addresses, social security numbers, birth dates, and in some cases driver’s license numbers.

This kind of stolen information is bought and sold by criminals on the black market, and via something called the Dark Web.

Numerous other companies in recent years have suffered big hack attacks resulting in the loss of important customer data. Two such attacks include Yahoo, where names and email addresses for 3 billion customers were stolen in two separate attacks staring in 2013, and JPMorgan Chase which lost names and log-ins for about 80 million accounts in 2014. The Equifax hack attack, however, is the most significant such breach in terms of potential damage to consumers, financial experts said.

“On a scale of one to 10, this is a 10 in terms of potential identity theft,” Avivah Litan, a senior security analyst for research firm Gartner told the New York Times on Thursday. “Credit bureaus keep so much data about us that affects almost everything we do.”

The breach is also problematic because credit reporting agencies including Equifax provide services to consumers that monitor credit behavior for risk from fraudsters.

What could this hack mean for me?

Cybercriminals have stolen up to five vital pieces of information necessary for establishing fraudulent financial accounts. If you’re affected by the break in, hackers could potentially open accounts in your name.

In addition to credit card accounts, cybercriminals can apply for other loans in your name, including mortgages. Additionally, they can commit medical insurance fraud, or file for tax returns. With your personal information, it’s also possible for cybercriminals to commit non-financial crimes in your name.

What does this mean for investors?

The breach is bad news for Equifax, a publicly traded company entrusted with some of the most valuable information that consumers have.

As a side note, three top Equifax executives, including the company’s chief financial officer, sold stock worth nearly $2 million immediately following the breach, according to various reports. In response, Equifax said the executives had no knowledge of the break in prior to the sale, the Wall Street Journal reports.

Note: Global Citizen, an ETF on Stash contains a small amount of stock in Equifax.

Equifax said cybercriminals gained access to its network by exploiting a website vulnerability, making off with the personal information for 143 million U.S. consumers ( nearly half the country’s population).

What can I do about it?

There are things you can do to protect yourself. Before you start panicking, read this:

Credit monitoring. Equifax says it will provide one free year of credit monitoring services, which consumers can sign up for online. It requires entering the last six digits of your social security number and last name. If you sign up, you’re agreeing to arbitration related to the use of Equifax’s credit monitoring service, but not for the hack attack itself, the company says.

Consider freezing your credit. This is a security measure that will make it more difficult for cybercriminals to open a new line of credit in your name. You can find out more about that here.

Change passwords for all online accounts, and regularly update them. This can include email, as well as financial accounts. Use two-factor authentication when possible. Various online services exist to help you secure your accounts. LastPass is one example. There are many others. Just because it is so important, we will say this again: If any websites you use offer two-factor, turn it on.

Report it. If you become the victim of identity theft, report it to your local police department. Also file a report with the Federal Trade Commission, which can help you create an identity theft recovery plan. You can do that here.

Check your credit report for irregularities. You’re entitled to a free copy every year from each of the three credit reporting agencies.

Contact your local DMV if you believe your driver’s license number was stolen.

Contact the Social Security Administration if you believe someone has obtained, or is fraudulently using your social security number. The agency’s website can be found here.

Want to know more about the steps you can take to protect yourself? Click here.

Disclaimers

This material has been distributed for informational and educational purposes only, represents an assessment of the market environment as of the date of publication, is subject to change without notice, and is not intended as investment, legal, accounting, or tax advice or opinion. Stash assumes no obligation to provide notifications of changes in any factors that could affect the information provided. This information should not be relied upon by the reader as research or investment advice regarding any issuer or security in particular. The strategies discussed are strictly for illustrative and educational purposes and should not be construed as a recommendation to purchase or sell, or an offer to sell or a solicitation of an offer to buy any security. There is no guarantee that any strategies discussed will be effective.

Furthermore, the information presented does not take into consideration commissions, tax implications, or other transactional costs, which may significantly affect the economic consequences of a given strategy or investment decision. This information is not intended as a recommendation to invest in any particular asset class or strategy or as a promise of future performance. There is no guarantee that any investment strategy will work under all market conditions or is suitable for all investors. Each investor should evaluate their ability to invest long term, especially during periods of downturn in the market. Investors should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Before investing, please carefully consider your willingness to take on risk and your financial ability to afford investment losses when deciding how much individual security exposure to have in your investment portfolio.

Past performance does not guarantee future results. There is a potential for loss as well as gain in investing. Stash does not represent in any manner that the circumstances described herein will result in any particular outcome. While the data and analysis Stash uses from third party sources is believed to be reliable, Stash does not guarantee the accuracy of such information. Nothing in this article should be considered as a solicitation or offer, or recommendation, to buy or sell any particular security or investment product or to engage in any investment strategy. No part of this material may be reproduced in any form, or referred to in any other publication, without express written permission. Stash does not provide personalized financial planning to investors, such as estate, tax, or retirement planning. Investment advisory services are only provided to investors who become Stash Clients pursuant to a written Advisory Agreement. For more information please visit www.stashinvest.com/disclosures.

Stash Investments LLC ("Stash") is an SEC registered investment adviser. By using this website, you accept our Terms of Use and Privacy Policy. Stash’s investment advisory services are available only to residents of the United States in jurisdictions where Stash is registered. Nothing on this website should be considered an offer, solicitation of an offer, or advice to buy or sell securities. Past performance is no guarantee of future results. Any historical returns, expected returns or probability projections are hypothetical in nature and may not reflect actual future performance. Account holdings are for illustrative purposes only and are not investment recommendations. The content on this website is for informational purposes only and does not constitute a complete description of Stash’s investment advisory services. Certain investments are not suitable for all investors and are not available to all Stash Clients. A full list of available investments on Stash can be found here. Stash does not provide financial planning services to individual investors. Before investing, consider your investment objectives and Stash’s fees and applicable custodial fees. Stash Financial, Inc. is a digital financial services company offering financial products for U.S. based consumers. Deposit Product - (“Debit Account Services” provided by Green Dot Bank, Member FDIC). Advisory products and services are offered through Stash Investments LLC, an SEC-registered. Stash Capital LLC, an SEC registered broker-dealer and member FINRA/SIPC, serves as introducing broker for Stash Clients’ advisory accounts. Apex Clearing Corporation, a third-party SEC registered broker-dealer and member FINRA/SIPC, provides clearing and execution services and serves as qualified custodian for advisory assets of Stash Clients. Products offered by Stash Investments LLC and Stash Capital LLC are Not FDIC Insured, Not Bank Guaranteed, and May Lose Value. For more information, see our disclosures. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

*1 month equals 30 days from the date of account sign-up. Other fees may apply. Clients may incur ancillary fees charged by Stash and/or it’s custodian that are not included in the monthly Wrap-Fee.